Spyware Tied to China Targets Apps Used by Uyghurs, Cybersecurity Firm Says
Nearly a third of Uyghur-language Android apps shared on social media platforms or downloaded from third-party app stores since July are infected with spyware.
Nearly a third of Uyghur-language Android apps shared on social media platforms or downloaded from third-party app stores since July are infected with spyware, according to research provided exclusively to Bloomberg News.
The apps are predominately infected by two new malware strains that secretly enable hackers to access and transmit private photos, messages and contacts, according to researchers at the San Francisco-based cybersecurity firm Lookout Inc. The company is scheduled to publish its findings later on Thursday.
Different types of malware have targeted Uyghurs with cyber-espionage for about a decade, but the new campaigns are much broader in scope and sophistication, said Kristina Balaam, a staff threat intelligence researcher at Lookout. The new malware is hidden in more apps than before and harder to detect, she said.
The attackers, Balaam said, are “very, very active.”
“People are still being actively targeted and compromised,” she said.
Because Google Play is blocked to Android users in China, many users download apps from “sketchy, unofficial app stores” or from links that circulate on platforms such as Telegram that turn out to be infected, she said. Lookout's research found that Uyghurs living abroad -- who often delete popular Chinese apps such as TikTok and WeChat to avoid surveillance -- may also have had their phones infected by downloading apps from unofficial platforms or by opening malicious links. Some devices in Turkey were compromised, Balaam said.
Lookout's researchers believe the attackers are Chinese because some of the infrastructure overlaps with past Uyghur surveillance campaigns tied to China. In addition, Mandarin language was discovered on one of the servers used in the attacks, she said.
Liu Pengyu, spokesperson at the Chinese Embassy in Washington, said “we oppose wild guesses and malicious slurs against China,” adding the country opposes “all forms of cyber attacks.”
Many of the targeted apps offer sought-after services such as Uyghur-language dictionaries, translation and keyboards that enable users to type in Uyghur script. Other infected apps available on Uyghur-language social media chats and download stores offer battery managers, video players, radio, GPS and religious texts, all of which appear to be working normally but are in fact spying on the owner. Common messaging apps such as Telegram have also been compromised in cases where the app store itself is infected, Balaam said.
A representative for Telegram didn't respond to a message seeking comment.
Lookout researchers named the newest of the malware families BadBazaar. It was first identified in late 2021, but samples date back to 2018 and it is still found now, including this month in a popular prayer app named Quran Majeed, she said. The other malware family, Moonshine, was first disclosed in 2019 by the University of Toronto's Citizen Lab as being used in targeted phishing attacks of Tibetans sent over WhatsApp.
By tracking three different command-and-control servers associated with Moonshine, Balaam said researchers confirmed at least 637 devices had installed the poisoned apps. Similar figures weren't available for BadBazaar because researchers haven't been able to access the infrastructure associated with it, she said.
The company shared its findings with Alphabet Inc.'s Google, Apple Inc. and others in advance of publication, and also sent take-down requests to the servers that host malicious infrastructure, she said. Balaam said deleting the infected apps will remove the malware. She also recommends only downloading apps from Apple or Google's stores.
Representatives for Apple didn't respond to a request for comment. A spokesperson for Google said apps flagged by Lookout were never published and were rejected as part of a review process.
Beijing has repeatedly denied accusations of maltreatment of Uyghurs -- a large, predominantly Muslim minority group -- and defended its policy as countering separatism. In June, the US condemned China's policies toward religious minorities and repeated accusations that China had committed “genocide and crimes against humanity” against ethnic Uyghur Muslims and other minorities.
While surveillance is common inside China, some Uyghurs living elsewhere told Bloomberg they were taken aback by the potential breadth of the alleged spyware campaign.
One of them, Nursiman Abdureshid, a Uyghur living in Istanbul, said she lost contact with her family in China in 2017 and later learned they'd been arrested. She said she was shocked by the scope of Lookout's findings. (She doesn't believe she's been infected by the malware identified by Lookout because she doesn't use an Android phone, nor does she download Uyghur-language apps).
But Abdureshid added that she is already convinced the Chinese government is watching her and has decided to get on with her life anyway.
“Before I was so afraid I didn't even go to Uyghur restaurants. I didn't do anything and they still destroyed my life,” she said, referring to what Chinese officials told her was the arrest of her family members. “So now I feel like I can download anything, go to restaurants and attend protests. I've been living with this pain for more than five years. We don't have any choice.”